[Samba] Unable to join domain

Rob Campbell robcampbell08105 at gmail.com
Wed Oct 13 08:18:04 UTC 2021 

Doing some more digging I followed the error links
https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#DNS_Update_failed:_ERROR_DNS_UPDATE_FAILED
 ->
https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Troubleshooting
.
Samba is started and running and is the only thing listening on port 53.  I
did check the log.samba and found this

[2021/10/12 23:23:44.674248,  0]
../../source4/dns_server/dns_update.c:418(handle_one_update)
  Can't handle updates of type 255 yet


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.


On Tue, Oct 12, 2021 at 10:15 PM Rob Campbell <robcampbell08105 at gmail.com>
wrote:

> > Are the winbind links set up correctly and is 'winbind' set on the
> 'passwd' & 'group' lines in /etc/nsswitch.conf ?
>
> I didn't compile winbind so I didn't think I needed to do any symlinks but
> this is what it is:
> la /usr/lib64/libnss_winbind.so /usr/lib64/libnss_winbind.so.2
> lrwxrwxrwx. 1 root root  19 Aug 25 11:35 /usr/lib64/libnss_winbind.so ->
> libnss_winbind.so.2
> -rwxr-xr-x. 1 root root 16K Aug 25 11:35 /usr/lib64/libnss_winbind.so.2
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>
>
> On Tue, Oct 12, 2021 at 5:25 PM Rob Campbell <robcampbell08105 at gmail.com>
> wrote:
>
>> >> 10.0.0.13 dc01.internal.test-server dc01
>>
>> > I hope that is a typo, the fqdn has lost the '.lan' from the end
>>
>> It was. It was just a copy and paste but maybe when I was editing the
>> email I removed it by accident.  It is correct in the actual file.
>>
>> >> search dc01.internal.test-server.lan
>>
>> > No, your dns domain is 'internal.test-server.lan' so the line should be:
>> > search internal.test-server.lan
>>
>> I did make this change during my troubleshooting while waiting for a
>> response.  Previously, DC01 was the subdomain [incorrectly] and I didn't
>> remove it when I made the changes.
>>
>> >> winbind enum users = yes
>> >> winbind enum groups = yes
>>
>> >I would remove the two lines above, you do not need them and they just
>> slow things down.
>>
>> Yes. It said that in the wiki but I thought it would provide some info if
>> there were a problem since it said only use for testing purposes.
>>
>> >> krb5.conf:
>> >> [libdefaults]
>> >> default_realm = INTERNAL.TEST-SERVER.LAN
>> >> dns_lookup_realm = true
>> >> dns_lookup_kdc = true
>>
>> > As the DC, you only need the lines above
>>
>> This is on the FS (file server, the one I'm joining as a member).  Should
>> it still only be these lines?
>>
>> >> net ads join -U administrator
>> >> Enter administrator's password:
>> >> Using short domain name -- INTERNAL
>> >> Joined 'FS01' to dns domain 'internal.test-server.lan'
>> >> DNS Update for fs01.internal.test-server.lan failed:
>> >> ERROR_DNS_UPDATE_FAILED
>>
>> > How did that succeed if your dns domain is now
>> 'internal.test-server.lan' ?
>>
>> Not sure but maybe because fs01.internal.test-server.lan and
>> internal.test-server.lan resolves to the same IP?
>>
>> > Are the winbind links set up correctly and is 'winbind' set on the
>> 'passwd' & 'group' lines in /etc/nsswitch.conf ?
>>
>> passwd:     files winbind #systemd
>> group:      files winbind #systemd
>>
>> I just commented out systemd and now I get a response
>>
>> getent group "INTERNAL\\Domain Users"
>> domain users:x:110513:
>>
>> Still something is wrong with dns.  I'm not able to resolve from DC01 to
>> FS01 but I can the other way.
>>
>> net ads join -U administrator
>> Enter administrator's password:
>> Using short domain name -- INTERNAL
>> Joined 'FS01' to dns domain 'internal.test-server.lan'
>> DNS Update for fs01.internal.test-server.lan failed:
>> ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> On DC01 I had to do this to get reverse lookups to work:
>> samba-tool dns add internal.test-server.lan 0.0.10.in-addr.arpa 13 PTR
>> internal.test-server.lan
>>
>> If I try something similar on FS01, it complains about port 135
>> refusing.  Samba isn't running on FS01 as it is on DC01.
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> In all things, Be Intentional.
>>
>>
>> On Tue, Oct 12, 2021 at 2:18 PM Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Tue, 2021-10-12 at 13:38 -0400, Rob Campbell via samba wrote:
>>> > *Debian server first DC: DC01*
>>> >
>>> > hostname: DC01
>>> >
>>> > /etc/hosts:
>>> > 127.0.0.1 localhost
>>> > 10.0.0.13 dc01.internal.test-server dc01
>>>
>>> I hope that is a typo, the fqdn has lost the '.lan' from the end
>>>
>>> >
>>> >
>>> >
>>> >
>>> > krb5.conf:
>>> > [libdefaults]
>>> > default_realm = INTERNAL.TEST-SERVER.LAN
>>> > dns_lookup_realm = false
>>> > dns_lookup_kdc = true
>>> >
>>> > [realms]
>>> > INTERNAL.TEST-SERVER.LAN = {
>>> > default_domain = internal.test-server.lan
>>> > }
>>> >
>>> > [domain_realm]
>>> > DC01 = INTERNAL.TEST-SERVER.LAN
>>> >
>>>
>>> You only need the first four lines and the '[domain_realm]' is totally
>>> wrong anyway.
>>>
>>> > ========================================
>>> > *Fedora first file server: FS01*
>>> >
>>> > smb.conf:
>>> > [global]
>>> > workgroup = INTERNAL
>>> > security = ADS
>>> > realm = INTERNAL.TEST-SERVER.LAN
>>> >
>>> > winbind refresh tickets = Yes
>>> > vfs objects = acl_xattr
>>> > map acl inherit = Yes
>>> > store dos attributes = Yes
>>> > idmap config * : backend = autorid
>>> > idmap config * : range = 10000-24999999
>>> >
>>> > dedicated keytab file = /etc/krb5.keytab
>>> > kerberos method = secrets and keytab
>>> > winbind use default domain = yes
>>> > winbind enum users = yes
>>> > winbind enum groups = yes
>>>
>>> I would remove the two lines above, you do not need them and they just
>>> slow things down.
>>>
>>> > winbind separator = +
>>> >
>>> > load printers = no
>>> > printing = bsd
>>> > printcap name = /dev/null
>>> > disable spoolss = yes
>>> >
>>> > username map = /etc/samba/usermap.txt
>>> >
>>> > krb5.conf:
>>> > [libdefaults]
>>> > default_realm = INTERNAL.TEST-SERVER.LAN
>>> > dns_lookup_realm = true
>>> > dns_lookup_kdc = true
>>>
>>> As the DC, you only need the lines above
>>>
>>> >
>>> > /etc/hosts:
>>> > 127.0.0.1   localhost
>>> > ::1         localhost
>>> > 10.0.0.10 fs01.internal.test-server.lan fs01
>>> >
>>> > hostname: FS01
>>> >
>>> > resolv.conf:
>>> > # Generated by NetworkManager
>>> > nameserver 10.0.0.13
>>> > search dc01.internal.test-server.lan
>>>
>>> No, your dns domain is 'internal.test-server.lan' so the line should
>>> be:
>>> search internal.test-server.lan
>>>
>>> >
>>> > I'm sure there may be some things not quite right with smb.conf but
>>> > i've
>>> > been trying things online since the default didn't work.  I get the
>>> > same
>>> > reply when trying to join the domain:
>>> > net ads join -U administrator
>>> > Enter administrator's password:
>>> > Using short domain name -- INTERNAL
>>> > Joined 'FS01' to dns domain 'internal.test-server.lan'
>>> > DNS Update for fs01.internal.test-server.lan failed:
>>> > ERROR_DNS_UPDATE_FAILED
>>>
>>> That is because you still have problems in your dns
>>>
>>> > DNS update failed: NT_STATUS_UNSUCCESSFUL
>>> >
>>> > netstat -tulpn | egrep 'samba|nmb|smb|bind'
>>> > tcp        0      0 0.0.0.0:445             0.0.0.0:*
>>> > LISTEN
>>> >      5585/smbd
>>> > tcp        0      0 0.0.0.0:139             0.0.0.0:*
>>> > LISTEN
>>> >      5585/smbd
>>> > tcp6       0      0 :::445                  :::*
>>> > LISTEN
>>> >      5585/smbd
>>> > tcp6       0      0 :::139                  :::*
>>> > LISTEN
>>> >      5585/smbd
>>> > udp        0      0 10.0.0.255:137          0.0.0.0:*
>>> >     5586/nmbd
>>> > udp        0      0 10.0.0.10:137           0.0.0.0:*
>>> >     5586/nmbd
>>> > udp        0      0 0.0.0.0:137             0.0.0.0:*
>>> >     5586/nmbd
>>> > udp        0      0 10.0.0.255:138          0.0.0.0:*
>>> >     5586/nmbd
>>> > udp        0      0 10.0.0.10:138           0.0.0.0:*
>>> >     5586/nmbd
>>> > udp        0      0 0.0.0.0:138             0.0.0.0:*
>>> >     5586/nmbd
>>> >
>>> > wbinfo --ping-dc
>>> > checking the NETLOGON for domain[INTERNAL] dc connection to
>>> > "dc01.internal.test-server.lan" succeeded
>>>
>>> How did that succeed if your dns domain is now 'internal.test-
>>> server.lan' ?
>>>
>>> >
>>> > getent passwd INTERNAL\\username (Nothing)
>>> > getent group "INTERNAL\\Domain Users" (Nothing)
>>>
>>> Are the winbind links set up correctly and is 'winbind' set on the
>>> 'passwd' & 'group' lines in /etc/nsswitch.conf ?
>>>
>>> Rowland
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>

More information about the samba mailing list